ID software blatantly put a backdoor in Quake 1/2 and QuakeWorld including both the Linux/Solaris Quake2. RCON commands sent from the subnet 192.246.40.0/24 and containing the password "tms" are automaticly executed on the server without being logged.

Quake was always a horrible security hole, but I never thought Id would stoop to introducing an intentional backdoor to allow them access to systems running Quake. I am surprised this didn't get more publicity.

There are many horrible security holes in the Microsoft Frontpage extensions. For example, you can list all files in directories on FP enabled sites, you can download password files on many of them, and a lot of FP sites even let you UPLOAD your own password files (!).

Author:

pedward@WEBCOM.COM

Compromise:

Break into user accounts on a web server (remote)

Vulnerable Systems:

Those running the Fronpage server extensions. Sone of the vulnerabilities are UNIX only while others also work agains WindowsNT sites.

Most Windows servers in generally seem to have horrific security. Here is info on overflows in the MDaemon SMTP/Pop Server and the Seattle labs server. Many Macintosh servers also have these problems, and even UNIX isn't always immune to poor coding.

Author:

Alvaro Martinez Echevarria <alvaro-bugtraq@LANDER.ES>

Compromise:

Crash the server, perhaps arbitrary code could be executed.

Vulnerable Systems:

Windows boxes running a vulnerable version of MDaemon, Seattle Labs SLMail, and several other crappy Windows servers.

Various gaping security holes in QuakeII (and Quake I and QuakeWorld and Quake Client).

Description:

These games by ID software are absolutely riddled with glaring security holes and no one should even CONSIDER running them (or any other game for that matter) on a machine that is supposed to be secure. I have stuffed a bunch of quake exploits in this one section although there is one Quake II server hole I will treate separately later.

Author:

kevingeo@CRUZIO.COM and others

Compromise:

root (remote)

Vulnerable Systems:

Those running pretty much any version of quake by id software, the client or server. Quake runs on many Linux boxes as well as Win95/NT.

Uh-Oh! NT isn't correctly checking its input. By sending an SMB logon request with an incorrect data length field you can blue screen the NT box.

Author:

"Secure Networks Inc." <sni@SECURENETWORKS.COM>

Compromise:

Yet another NT DOS attack

Vulnerable Systems:

Windows NT 4.0 up to and including Service Pack 3

Date:

14 February 1998

Notes:

It shouldn't be hard to write a quick exploit for this. Any volunteers? Just hack SAMBA login request code and experiment with different data lengths. If you do write one, please mail it to me (fyodor@insecure.org).

A somewhat common technique for attackers is to install "telnet redirectors" on a system they have compromised. This allows them to telnet to the redirector and then telnet out from there anonymously, masking their true point of origin. These attackers no longer need to bother with penetrating systems, as the Wingate includes anonymous telnet redirection as a feature enabled by default! Just telnet to port 1080 or 23 and then telnet right back out to wreak havok on the internet. And don't worry, it doesn't (by default) log anything! <sigh>

Author:

Alans other account <alanb@MANAWATU.GEN.NZ>

Compromise:

Intruders can mask their true point of origin by going through Wingate

Vulnerable Systems:

Windows boxes running Wingate

Date:

11 February 1998

Notes:

Many thanks to Dairo Bel <dairo@akrata.org> for translating his spanish article on Wingate and sending it in! Also note that you can use nmap, a network portscanner I wrote to locate hosts on your network that are running Wingate.

Windows share passwords are right there in the registry and poorly encrypted

Description:

Share encryption is by a simple XOR and the passwords are stored in registry entries such as SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\Parm1enc .

Author:

a42n8k9@redrose.net

Compromise:

With local access to a windoze box you can determine the read-only and full access passwords to the file system/printer/etc. Also these passwords might be the same as for more important access (ie to company servers).

UNIX does not allow normal users to bind ports < 1024. NT apparently has no such concept of privileged ports. It even allows users to bind ports in use by the system and sniff or redirect data from them!!!

Appended to this message is a SMB redirectory which allows local unprivileged users to redirect smb trafic to a remote server so that the local server doesn't even see it. This obviously has quite severe implications.

Abhorrent permissions are required for some files related to the Microsoft FrontPage server extensions. For example _vti_pvt is a 775 directory which contains mode 664 service.pwd that contains the crypt()ed passwords for users.

Author:

Dave Pifke <dave@VICTIM.COM>

Compromise:

Not only can local users find out (or sometimes change) the passwords used for web accounts, but determing these passwords may lead to compromise of more important accounts that may use the same passwords.

The ICQ protocol is ridiculously simplistic and is riddled with security holes. So is the ICQ software. So ICQ users can be spoofed, have their machine crashed, or have evil haxxors run arbitrary code on their boxes. Geez, these poor users might as well run Internet Explorer!

Apparently if you type more then 80 characters into an xscreensaver password window it will die and you will gain access to the desktop. Also not that with XFree86 you can often use CNTRL-SHIFT-BACKSPACE to simply kill the server (and whatever X program is locking it).

Author:

Kim San Su <shanx@comp67.snu.ac.kr>

Compromise:

Bypass xscreensaver password security

Vulnerable Systems:

Those where people run a vulnerable version of xscreensaver to lock their X-Windows sessions.

One thing you can do to be highly annoying is create very long directory paths. These cause *major* problems to many system utilities. This post provides useful one-liners for the purpose.

Author:

Zack Weinberg <zack@RABI.PHYS.COLUMBIA.EDU>

Compromise:

Annoying DOS

Vulnerable Systems:

Those that allow very long directory paths. I just created one 10002 directories deep on my Linux box (I stopped it, it could have gone further). Fortunately Microsoft OS users don't have this problem due to small filesystem depth restrictions ;)

In this excellent paper, Solar Designer points out a number of serious flaws in the Micro$oft NT syscall implementations. He demonstrates code that will crash NT boxes, and points out that even more serious holes could probably be found by examining other syscalls.

Apparently many people use service accounts for Exchange. Apparently, those also generally don't have auto-account-disabling or password expiration, which makes exchange a great target for brute-force password guessing

One bug described allows you to dump all domain usernames with smnpwalk. Another allows you to delete WINS database records remotely. Micro$oft is pathetic. Nobody should by their products. Get Linux, or OpenBSD, or Solaris.

Systems with the Simple TCP/IP Services installed will respond to broadcast UDP datagrams sent to the subnet broadcast address. You could presumably use this to attack someone else (by using your target's source address in the broadcast) or take down the NT network by having the source be port 19 of the same broadcast address.

The Lanman password hash is used by NT for authenticating users locally and over the network (MS service packs are now out that allow a different method in both cases). L0phtcrack can brute-force these hashes (taken from network logs or progams like pwdump) and recover the plaintext password. l0phtcrack 1.5 also breaks the new NT style password hashes.

Author:

Mudge <mudge@l0pht.com>

Compromise:

Compromise account passwords (remotely if you can sniff a server challenge.

Vulnerable Systems:

NT 4.0, 3.51. I believe NT4 Service Pack 3 SYSKEY fix will defeat pwdump style utilities. MS also has a fix out to disable Lanman authentication over the network, but this breaks compatibility w/W95 and 3.11.

Date:

12 July 1997

Notes:

First comes a very interesting message from mudge about M$ "authentication", then comes the readme file for l0phtcrack 1.5. Next comes the source distribution in uuencoded form. You can get executables at their webpage, www.l0pht.com.

A flaw in the NT fragment reassembly algorithm allows you to smuggle packets to NT boxes through packet-filtering firewalls. You "hide" the TCP header in an offset IP fragment and just neglect to send the first (zero offset) packet. NT (Pre-SP3) will still happily reassemble your packet, placing the fragment with the lowest-offset at the front.

Author:

Thomas Lopatic

Compromise:

Talk to NT boxes behind packet-filtering firwalls

Vulnerable Systems:

NT 4.0 w/o SP3 installed, and probably 3.51

Date:

10 July 1997

Notes:

I *LOVE* this advisory. Fully detailed ... includes source code so I don't have to spend 5 hours reproducing this. Thanks Thomas!

]You can create trojan directories in all lowercase, which will in some cases be accessed before the Mixed case directories and files NT likes to create.

Author:

Paul Ashton <paul@ARGO.DEMON.CO.UK>

Compromise:

This has the potential to cause an administrator level compromise.

Vulnerable Systems:

Windoze NT 4.0

Date:

4 July 1997

Notes:

Paul Ashton also suggested the idea of creating a trojan parallel help directory, with hard links to all the original Help files, except one could call a special DLL to compromise NT. Also not that the POSIX subsystem doesn't need to be installed. You can create a files of the same name but different case by calling the Win32 function CreateFile() with the FILE_FLAG_POSIX_SAMANTICS flag specified (also noted by Paul Ashton).

Because it has no notion of an established connection, allowing connections often require two rules to specify the allowed source and destination ports. But allowing data back from, say, port 25 to allow outgoing mail, also allows a malicious attacker to come in from a source port of 25, even though you never initiated a connection with that host.

Author:

Russ <Russ.Cooper@RC.ON.CA>

Compromise:

Bypass silly NT packet filters (when will people learn not to use NT as a firewall????)

A hole in the handling of the INPUT TYPE="FILE" tag allows a malicious website operator to download your files (if the filename is known). This apparently works on all platforms, and with Netscape up to Netscape Communicator.

Author:

"Paul T. Kooros" <kooros@TITAN.SRRB.NOAA.GOV>

Compromise:

Steal people's shit!

Vulnerable Systems:

Clients running Netscape Communicator 4.0 and earlier, as well as netscape navigator 3.* and probably earlier. This includes the Windoze, Macintosh, and UNIX platforms.

Date:

16 June 1997

Notes:

This is a great advisory! Show your thanks by buying his JavaScript book! I would if JavaScript wasn't such a lame language ;).

Windows NT will completely crash if you send Out of Band (MSG_OOB) data to its port 139. Win95 will blue screen and network connectivity is usually lost, applications may crash. Win 3.11 with the M$ TCP/IP stack crashes too. Other ports like MS DNS may also be affected.

Author:

myst <myst@LIGHT-HOUSE.NET>

Compromise:

Stupid DOS attack, but it can be humorous.

Vulnerable Systems:

WinNT 4.0, 3.51, Win95 , WFWG 3.11

Date:

9 May 1997

Notes:

I'm also appending the perl exploit code and the visual basic code. The M$ FIX in service pack 3 and the Hotfix does NOT work! You just have to change the code a bit, or use the Macintosh exploit. Change the TCP Urgent pointer if you want to exploit the post-servicepacke 3 conditon from a UNIX box.

Internet Explorer running on NT will attemt to authenticate using your (hashed) password to anyone who asks! Worse, it doesn't even tell you that it is doing this. Even if you have a very strong password, a man-in-the-middle attack is possible. The server can request a challenge from another server, and then feed it back to you for encryption!

Author:

Paul Ashton <paul@argo.demon.co.uk>

Compromise:

WWW servers can obtain authentication information (username and Lanman password hash) from clients who connect using Internet Explorer from an NT box.

Win95 is that it will connect to SMB servers and try the user's plaintext password first. You can also direct this through a web page with a linke like file://\\server/hackmicrosoft/sploit.gif. You also have to inform it of your name (can be done through SAMBA's nmbd utility).

Jeremy Allison has successfully de-obfuscated the NT LANMAN and md4 hashes from the registry. This has many useful implications, including allowing us to hack the real password, or use the hash to longin via SAMBA. To make things even better, the "encryption" has a LOT of problems.

Author:

Jeremy Allison <jra@cygnus.com>

Compromise:

Grab NT password hashes, which can then be cracked. You must be administrator or at least have the loser run your trojan.

Vulnerable Systems:

Windows NT 4.0 and 3.51 at least

Date:

22 March 1997

Notes:

The README for follows, and afterwords I have included the code. Also there are a lot of crackers available. Try NTCrack. Or you can get l0phtcrack, try www.l0pht.com

Microsoft CANNOT seem to handle dots at all in their programs, after fixing the name.asp. bug, the great guys at the l0pht found that their "fix" introduced another '.' bug. This time using the hex representation.

Win95 will automatically try to authenticate the logged in user to an SMB server. Thus (through a web page, in this example), you can direct people to the server and then grab their username and "encrypted" LANMAN password.

How many admins would respond to an email message promising "wet hot sex!" or something else enticing at a certain URL? Except for indiscriminate attacks, this would take a little social engineering. The appended UUencoded version probably looks funny in your web browser. Just "save as".